Moving the Goalposts for Canadian Data: Federal Privacy Commissioner Changes Position on Cross-Border Transfers

A high profile data breach involving a US company, Equifax Inc.[i], and its Canadian subsidiary, Equifax Canada Co., along with the coming into force of the European Data Protection Regulation (“GDPR”), appear to be the driving forces behind the Office of the Privacy Commissioner of Canada’s (the “OPC”) recent decision to review and, potentially, significantly change the manner in which cross-border “transfers” of personal information will be treated under Canadian privacy law. In a document that was released on April 9, 2019, the OPC has signalled that it will no longer view a “transfer” of personal information as a “use” but rather as a “disclosure” under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), imposing significant restrictions and additional organizational obligations on cross-border data transfers. The OPC has commenced a public consultation process on this issue, which is to conclude June 4, 2019.

Background

Cross-border transfer of personal information is a vitally important topic for many organizations active in Canada, the United States, the European Union, and elsewhere. As the European Commission recognizes, “it is essential these days to be able to also transmit data to third countries.” Under the European Data Protection Regulation (“GDPR”), transfers of data outside of the European Economic Area (“EEA”) require consent and can only occur if data is transferred to a jurisdiction that has “adequacy status” or there is another permissible mechanism, such as the US Privacy Shield or “Binding Corporate Rules.” Canada is one of the countries that is considered to have adequate protection under PIPEDA so that transfers from Europe to Canada are legal without the need for additional mechanisms, such as the Privacy Shield, to be put into place.

Prior to the Equifax investigation, the OPC’s official position on cross-border transfers of personal information was set out in its 2009 Guidelines for Processing Personal Data Across Borders (the “Guidelines”). Under the Guidelines, the OPC acknowledged that PIPEDA does not establish rules governing transfers of personal data for processing. It was the OPC’s position that information flowing between affiliated organizations or to a third party for processing constituted a “use” of information, rather than a “disclosure” of personal information. Provided that the information was being used for those purposes for which it was originally collected, additional consent for the transfer to the third party was not required. Importantly, this approach allowed Canadian entities to outsource data-processing activities to other jurisdictions and/or share personal data with affiliated corporations in other jurisdictions without the need to obtain additional consent.

However, on April 9, 2019, the OPC released a position document on how trans-border and intercompany transfers of Canadian personal information are handled. The OPC takes the position that the transfer of personal information between affiliated organizations or to a third party for processing should be considered a “disclosure” rather than “use” of information and that, consequently, such “disclosures” require meaningful consent.

It would no longer be sufficient to simply include a notice in an organization’s privacy policy that personal data may be stored in a different jurisdiction and be subject to that jurisdiction’s privacy laws. Organizations that process personal information about Canadians in other countries will now have to meet a higher standard to ensure that they have complied with the requirement to obtain meaningful consent from those individuals to process or store their personal data outside of Canada. Also, the form of consent required for trans-border and intercompany transfers of personal information is assessed based on an analysis of: (i) the sensitivity of the information; and (ii) the reasonable expectation of the discloser. Another factor which informs this analysis is the risk of harm to an individual. Where there is a material risk of harm, express consent, rather than implied consent, is required.

Practical Considerations

Not only does the revised position materially alter the established Canadian approach to cross-border data transfers under Canadian law, it also entails several practical considerations for organizations, including the following:

Current web privacy policies and other aspects of current privacy programs in general may no longer be adequate to comply with the new approach.

Procedures and consent mechanisms may need to be altered or implemented to obtain the consent required when engaging in trans-border data transfers to third party service providers as well as to affiliated companies located outside of Canada.

The additional consent requirements for cross-border data transfers may create unintended trade consequences: the additional consent requirements may be viewed as a non-tariff barrier to trade, given that such additional consent requirements could be regarded as more onerous than those actually required to adhere to local privacy policies.

Given the significant impact on organizations located in Canada or that process Canadian data, stakeholders are encouraged to participate in consultation with their professional advisors on this topic prior to June 4, 2019.

[i] On May 13, 2017, hackers gained access to Equifax Inc. data. The data breach occurred after hackers infiltrated to Equifax Inc.’s system by exploiting a vulnerability in the platform software that the company knew about for over two months, but did not fix.

The OPC investigated the breach and determined that certain personal information of Canadian individuals was accessed as a result of the breach. Those individuals had all obtained products from Equifax Canada through transactions processed by the U.S. entity, Equifax Inc. The OPC found that the Canadian customers had interacted exclusively with Equifax Canada at the time, and were not explicitly advised that their transactions would involve their personal information being accessed in the U.S. by the U.S. entity.

The OPC ultimately held that the transfer of information to the U.S. company, Equifax Inc., was inconsistent with the Canadian entity’s obligations under PIPEDA to obtain meaningful consent from individuals before disclosing personal information to a third party. The OPC held that, where individuals would not reasonably expect the transfer of personal information to a third party, consent must be express and valid. For consent to be valid, individuals must be provided with clear information about the disclosure, including all associated risks and, where applicable, the fact that the third party is located in another country and the attendant risks in that regard.

Disclaimer

The blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of the blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.